libselinux is currently being copied to APEXes. This is risky because
the library is not designed to be portable; part of it is tied to the
specific version of the Android that it was developed for.
This change fixes the problem by declaring that the library supports
a stub with the list of C APIs that are included in the stub. Then there
is only one copy of libselinux in /system/lib and other APEXes use the
copy by dynamically linking to it.
Also, adbd no longer statically links to it, because doing so brings
libselinux in it.
Bug: 151053366
Test: m com.android.adbd. It doesn't include libselinux in it.
Test: m com.android.adbd-deps-info. then inspect
out/soong/com.android.adbd-deps-info.txt. The dependency to libselinux
is shown as '(external)'.
Exempt-From-Owner-Approval: cherry-pick from AOSP
Merged-In: If418cbe3abdeacb759d59052e6dca4c2067678dd
(cherry picked from commit 3ffdad0cb5)
Change-Id: If418cbe3abdeacb759d59052e6dca4c2067678dd
Some devices expose the battery state of stylus etc in sysfs,
in addition to the whole system's main battery. Android only
recognizes the first battery enumerated here. We need to
filter out such HID-specific battery to let Android correctly
monitor the main battery status.
Bug: 136111013
Test: CtsBatterySavingTestCases on arcada
Change-Id: I4cbf6e3bf883fb3d107bedd2849d8ad525538629
Refactors implementation details to allow for atom-level annotations.
This CL does not change the API surface. addBoolAnnotation and
addInt32Annotation work for both atom-level and proto field annotations.
Test: bit libstatssocket_test:*
Bug: 151158794
Change-Id: I2c340b201aeb3bcddd5cfde171b7c4df1d8d69a4
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Merged-In: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
... so that an operation can be skipped partially. For example, if
an operation contains blocks:
563412 -> 123456
... then optimized operation is:
5612 -> 1256
Test: update_engine_unittests
Test: apply incremental OTA
Bug: 148623880
In an experiment, this reduces CoW size of an incremental update
package by 200MB (out of 700MB).
Change-Id: I86ca23fd589ddbc84c81318283b5f4e71782a759
Merged-In: I86ca23fd589ddbc84c81318283b5f4e71782a759
For currently unknown reasons, sideloading is broken with
libadbd_services as a cc_library_static.
Partial revert of commit a9b62d5452.
Bug: http://b/151056300
Test: xunchang@ tested manually
Change-Id: Iaffad9c476ba0adcffc5db512ba4a7ee0fb5cb22
(cherry picked from commit 7f8a37c8c7)
In case of GSI on DSU, /data is mounted on the following stack:
userdata -> userdata_gsi -> actual block device, and fstab returned from
ReadDefaultFstab() function will say that /data should be
mounted onto userdata_gsi. This configuration wasn't supported.
To support it, fs_mgr_get_mounted_entry_for_userdata now unwinds the
dm-device stack /data is mounted onto, and for each entry in fstab
resolves corresponding block device (in case of logical partitions by
asking DeviceMapper to resolve name -> path, and for other cases by
reading a symlink), and then checking whenever resolved block device
belongs to the unwinded stack.
Test: on both normal boot & DSU
Test: atest CtsUserspaceRebootHostSideTestCases
Test: atest CtsFsMgrTestCases
Bug: 148612148
Change-Id: I1bb3e64ae92d56de905b4f7f1997b7499b101b0f
liblog is a platform library that provides stable C API. There is no
need to include the library, especialy by statically linking to it, in
any APEX. It not only wastes the storage/ram, but also is incorrect
because the socket interface to logd which is implemented in liblog is
not guaranteed to be stable.
Fixing this issue by converting static_libs: ["liblog"] into
shared_libs: ["liblog"], in which case the dependency to the library
is satisfied via the stub variant of the library.
As a result, we could restrict the availablity of the library to
the platform and the runtime APEX.
Exempt-From-Owner-Approval: already approved when this was in internal
master (ag/10572699)
Bug: http://b/151051671
Bug: http://b/150827719
Test: m
Merged-In: I5aab863cb12b8767b6979255c247000a59355b0e
(cherry picked from commit 95b6f45b0e)
Change-Id: I5aab863cb12b8767b6979255c247000a59355b0e
In case multiple threads try to reference this variable while it is
being set, it should be atomic so that all threads always see a valid
value.
Bug: 150898477
Test: liblog, libbase unit tests
Merged-In: If6c9e291f2471b96a752dc6e76e3e63458b71391
Change-Id: If6c9e291f2471b96a752dc6e76e3e63458b71391
(cherry picked from commit bbb16022c7)
Replace the original on demand start mechanism with the new dynamic
AIDL service infrastructure to resolve a possible race condition.
Bug: 149130673
Test: gsi_tool status
Merged-In: Ia5f32579a8dcf62d700d974c7f4e3c65647f3b8b
Change-Id: Ia5f32579a8dcf62d700d974c7f4e3c65647f3b8b
Previously, we were waiting for the other end to respond after every
file sent, which results in massive slowdown when there's any amount of
latency on the transport.
This improves performance on a cuttlefish instance with ~7ms RTT from:
system/: 2037 files pushed, 0 skipped. 2.8 MB/s (762803979 bytes in 262.964s)
to:
system/: 2037 files pushed, 0 skipped. 11.9 MB/s (762803979 bytes in 61.278s)
Bug: https://issuetracker.google.com/150827486
Test: ./test_device.py
Change-Id: I3a0c893faa5d455cc6ccbc86915a17e1b5abbfbe
(cherry picked from commit 64ff82ba68)
When libbacktrace.a is statically lined to somewhere, that library had
to add libasync_safe.a to static_libs because libbacktrace.a has
references to libasync_safe.a. But libbacktace depending on
libasync_safe is an implementation detail of libbacktrace, and therefore
its client shouldn't be affected by it.
Fixing this by doing the whole static link to libasync_safe to
libbacktrace.a so that the former is included in libbacktrace.a
Bug: 149569129
Test: m
Change-Id: If7366a240bc945dda9944fe7c111e10d328165bb
libbase is a popular library that is used by many APEXes either directly
or transitively. It is being used by several Mainline modules that were
launched with Q, in which case everything in the APEX - including
libbase - shouldn't use new APIs that are added post Q, i.e. R.
libbase however is using a few new R symbols from liblog, and this is
preventing those Q-launching Mainline modules that are built in R source
tree from being installed to Q devices.
Fortunately, the dependencies to the new R symbols are guarded with a
flag; when the existence of the symbols are not guaranteed, it uses
dlsym. This change fixes the aforementioned problem by turning on the
flag also when libbase is built for an APEX.
Bug: 149569129
Test: TARGET_BUILD_APPS=com.android.media
vendor/google/build/build_mainline_modules.sh
adb install --staged out/dist/mainline_modules_arm64/com.android.media.apex
adb reboot
The APEX is installed and mediaextractor process doesn't crash
Change-Id: I44b5ec028850613cb45fc3e792f43cd8e87cfd00
This reverts commit faa49d1d00.
Reason for revert: Callstack should not be logged.
Test: none
Bug: 148818798
Change-Id: Ie5506ae0c7408e255a464b2f403d0a47d272229e
Now that update_engine is responsible for initiating the
merge, InitiateMergeAndWait function becomes useless.
Bug: 147696014
Test: libsnapshot_test
Change-Id: I5473dc543ca8ac2fd31f597720847b02d0e5e33d
Also fixes a bug in the tests where the platform version was being
checked by querying version.release instead of version.codename
(currently, version.release == 10, while version.codename == R).
Test: bit libstatspush_compat_test:* (on Q and R)
Test: libsstatssocket.so is not placed in resolv apex (on R)
1|bonito:/ $ ls apex/com.android.resolv/lib64
libclang_rt.ubsan_standalone-aarch64-android.so
libcrypto.so
libnetd_resolv.so
libssl.so
Test: NETWORK_DNS_EVENT_REPORTED atom is logged to statsd (on R)
- adb shell cmd stats print-stats (atom 116 count > 0)
Bug: 148743333
Change-Id: Ib3eaa32835905bcf6e3b003054bf0f3c4e7ec0a4
Merged-In: Ib3eaa32835905bcf6e3b003054bf0f3c4e7ec0a4
(cherry picked from commit 9848eb4f1c)
Logic of unwinding dm-device stack to figure out what entry was used to
mount userdata turned out to be a little bit more involved, and it
shouldn't be part of libfstab
This CL just moves code around and cleans API a little bit, actual fix
will be in the follow-up CL.
Test: atest CtsFsMgrTest
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148612148
Change-Id: If0f8a765dba63adb0e6a711eb81fffdcabea3480
On userdebug/eng devices, check a system property to see whether we
should create tombstones or not. OEMs that would rather have core dumps
can set this property and configure /proc/sys/kernel/core_pattern
appropriately.
Bug: https://issuetracker.google.com/149663286
Test: set the property, cause a crash
Change-Id: If894b4582a1820b64bdae819cec593b7710cb6e3
(cherry picked from commit 530ab81e42)
am skip reason: Change-Id I1232fec5f1d0be7e5fb6aa5c46f6c2c5529bfc6c with SHA-1 8e77b789f8 is in history
Change-Id: I0e13c779e06c07a648e4ac8ccbfeec437f4dbb7a
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.
Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.
Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
Merged-In: I72949fca2889f9e5612049844a78bf9355b48797
The original CL was missing these.
Bug: 149591522
Test: build
Merged-In: I99615b81cfe9166a00c812a8642ecf1244bf08b9
Change-Id: I99615b81cfe9166a00c812a8642ecf1244bf08b9
(cherry picked from commit d620ec7fb9)
Change API for SnapshotMergeStats so that it is easier
for update_engine to use.
Test: apply OTA and look at stats
Bug: 147696014
Bug: 138817833
Change-Id: Ie4036ac7382102c00f0761f443d78e00b9e585d5
Merged-In: Ie4036ac7382102c00f0761f443d78e00b9e585d5
Now that update_engine is responsible for initiating the
merge, WaitForMerge function becomes useless.
Bug: 147696014
Test: compiles
Change-Id: I3779bdf9dd8d1716238e21d09acf0499e3fc90a3
Merged-In: I3779bdf9dd8d1716238e21d09acf0499e3fc90a3
In CheckMergeState / HandleCancelledUpdate, if removing update state
fails, just return the previous state. It used to return Cancelled,
and the error goes unnoticed.
Test: pass
Bug: 147696014
Change-Id: I9cb3d20c5c886afa1913740c903eaad08f0cc041
Merged-In: I9cb3d20c5c886afa1913740c903eaad08f0cc041
If updated then immediately flashed target slot at unverified
stage, update_engine attempts to call RemoveAllSnapshots, but
it used to fail because unmapping fails. In reality, these devices
are dm-linear targets, so unmapping them is optional.
- Introduce a GetSnapshotFlashingStatus function that expose more
information than AreAllSnapshotsCancelled. We can use the returned
map<string, bool> to determine whether a partition is flashed or
not.
- Introduce ShouldUnmapDeleteSnapshot which determines whether
unmapping / deleteting a snapshot is needed in RemoveAllSnapshots.
Test: apply OTA, flash target slot, then inspect logs
Bug: 147696014
Change-Id: I0853d1e213566af2a3401e46fac7d9586cee7aaf
Merged-In: I0853d1e213566af2a3401e46fac7d9586cee7aaf
Jiyong Park